SAN FRANCISCO: Cybersecurity researchers are raising alarms over a new wave of threats emerging from AI agents — advanced artificial intelligence systems designed to perform tasks online autonomously — warning that these tools could be hijacked and exploited by hackers to carry out malicious operations.

AI agents, unlike traditional chatbots, can perform a wide range of digital tasks such as booking flights, scheduling meetings, managing emails, or even handling financial transactions — all through natural language commands. But this same convenience, experts say, has introduced a dangerous new attack surface for cybercriminals.

“We’re entering an era where cybersecurity is no longer about protecting users from bad actors with a highly technical skillset,” said AI startup Perplexity in a blog post. “For the first time in decades, we’re seeing new and novel attack vectors that can come from anywhere.”

The rise of ‘prompt injection’ attacks

The primary concern centers around injection attacks — a decades-old hacking technique that has evolved alongside AI. In the context of AI agents, these attacks occur when malicious prompts or instructions are secretly embedded in data or online content.

When an AI agent encounters such hidden commands, it can be manipulated into performing unintended actions, from sending unauthorized payments to exfiltrating sensitive data.

Cybersecurity firm NeuralTrust engineer Marti Jorda Roca explained that the problem lies in the agent’s autonomy. “People need to understand there are specific dangers using AI in the security sense,” he said, adding that the risk increases as agents are given more independence online.

Meta has publicly labeled this vulnerability a “query injection threat,” while OpenAI’s Chief Information Security Officer Dane Stuckey has called it “an unresolved security issue.” Both tech giants are reportedly investing heavily to mitigate these risks as the use of AI agents expands rapidly.

When convenience meets vulnerability

Query injections can occur in multiple ways. In one example, a user command such as “book me a hotel reservation” could be maliciously modified into “transfer $100 to this account.”
In another, AI agents integrated into browsers may unknowingly interact with compromised web pages containing hidden prompts that override user intent.

Eli Smadja, cybersecurity researcher at Check Point, described these attacks as the “number one security problem” facing large language models (LLMs). “One huge mistake that I see happening a lot is to give the same AI agent all the power to do everything,” he warned.

Industry response and growing concern

Tech firms are already deploying preventive measures. Microsoft has added tools to detect malicious commands by analyzing their origins and context, while OpenAI now alerts users when AI agents attempt to access sensitive sites, requiring human supervision for high-risk tasks.

Some experts recommend stricter oversight — for instance, requiring explicit user approval for sensitive actions such as transferring funds or exporting data.

But cybersecurity analyst Johann Rehberger, known in the industry as “Wunderwuzzi,” cautions that current AI systems are far from trustworthy for unsupervised use.

“I don’t think we are in a position where you can have an agentic AI go off for a long time and safely do a certain task,” he said. “It just goes off track.”

The growing sophistication of hackers, coupled with the accelerating deployment of autonomous AI systems, means that the next frontier of cybersecurity will depend not just on stronger code — but on smarter, safer design principles for AI itself.